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Summary 

On June 4, 2015, the U.S. Office of Personnel Management (OPM) revealed that a cyber 
intrusion had impacted its information technology systems and data, potentially compromising 
the personal information of about 4.2 million former and current federal employees. Later that 
month, OPM reported a separate cyber incident targeting OPM’s databases housing background 
investigation records. This breach is estimated to have compromised sensitive information of 2 1 .5 
million individuals. 

Amid criticisms of how the agency managed its response to the intrusions and secured its 
information systems, Katherine Archuleta has stepped down as the director of OPM, and Beth 
Cobert has taken on the role of acting director. In addition, OPM’s Electronic Questionnaires for 
Investigations Processing (e-QlP) application, the system designed to help process forms used in 
conducting background investigations, has been taken offline for security improvements. 

Officials are still investigating the actors behind the breaches and what the motivations might 
have been. Theft of personally identifiable information (Pll) may be used for identity theft and 
financially motivated cybercrime, such as credit card fraud. Many have speculated that the OPM 
data were taken for espionage rather than for criminal purposes, however, and some have cited 
China as the source of the breaches. 

It remains unclear how the data from the OPM breaches might be used if they are indeed now in 
the hands of the Chinese government. Some suspect that the Chinese government may build a 
database of U.S. government employees that could help identify U.S. officials and their roles or 
that could help target individuals to gain access to additional systems or information. National 
security concerns include whether hackers could have obtained information that coidd help them 
identify clandestine and covert officers and operations. 

The cybersecurity of most federal information systems is governed by the Federal Information 
Security Management Act (F1SMA, 44 U.S.C. §3551 et seq.). Questions for policymakers include 
whether existing provisions of law give agencies the legislative authority and resources they need 
to adequately address the risks of future intrusions. In addition, effective sharing of cybersecurity 
information has been considered an important tool for protecting information systems from 
unauthorized intrusions and exfiltration of data. The 1 14 th Congress is considering legislation to 
reduce perceived barriers to information sharing among private-sector entities and between them 
and federal agencies. 
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O n June 4, 2015, the U.S. Office of Personnel Management (OPM) revealed that a cyber 
intrusion into its information technology systems and data “may have compromised the 
personal information of [approximately 4.2 million] current and former Federal 
employees.” 1 Later in June, OPM reported a separate cyber incident, which it said had 
compromised its databases housing background investigation records and resulted in the theft of 
sensitive information of 21.5 million individuals. 2 

The OPM breach, one of the largest reported on federal government systems, was detected partly 
through the use of the Department of Homeland Security’s (DHS’s) Einstein system — an 
intrusion detection system that “screens federal Internet traffic to identify potential cyber 
threats.” 3 Reportedly, the hackers used compromised security credentials — those assigned to a 
KeyPoint Government Solutions employee, a federal background check contractor working on 
OPM systems — to exploit OPM’s systems and gain access. 4 Officials do not believe that the 
intruders are still in the system. 5 

In the aftermath of the intrusions, Katherine Archuleta has stepped down as the director of OPM 
amid criticisms of how the agency managed its response to the intrusions and secured its 
information systems. Beth Cobert has taken on the role of acting director. In addition, OPM’s 
Electronic Questionnaires for Investigations Processing (e-QIP) application, the “web-based 
automated system that was designed to facilitate the processing of standard investigative forms 
used when conducting background investigations,” has been taken offline for “security 
enhancements.” 6 

Notably , as is common with data breaches, available information on the recent OPM breach 
developments remains incomplete. Assumptions about the nature, origins, extent, and 
implications of the data breach may change, and some media reporting may conflict with official 
statements. Policymakers have received official briefings on the breach developments, and 
Congress has held a number of hearings on the issue. 7 This report provides an overview of the 
current understanding of the recent OPM breaches, as well as issues and questions raised about 
the source of the breaches, possible uses of the information exfiltrated, potential national security 
ramifications, and implications for the cybersecurity of federal information systems. 



1 Office of Personnel Management, “OPM to Notify Employees of Cybersecurity Incident,” press release, June 4, 2015. 

2 Office of Personnel Management, “OPM Announces Steps to Protect Federal Workers and Others From Cyber 
Threats,” press release, July 9, 2015. 

3 Ken Dilanian and Ricardo Alonso-Zaldivar, “Federal Data Compromised at OPM and Interior,” Associated Press, 
June 4, 2015. 

4 See, for example, testimony at U.S. Congress, House Committee on Oversight and Government Reform, OPM: Data 
Breach, 114 th Cong., 1 st sess., June 16, 2015. 

5 Office of Personnel Management, Information About OPM Cybersecurity Incidents, https://www.opm.gov/ 
cybersecurity/. 

6 Office of Personnel Management, e-QIP Application, https://www.opm.gov/investigations/e-qip-application/. 

7 See for example, U.S. Congress, House Committee on Oversight and Government Reform, OPM: Data Breach, 1 14 th 
Cong., 1 st sess., June 16, 2015; U.S. Congress, House Committee on Oversight and Government Reform, OPM Data 
Breach: Part II, 1 14 th Cong., 1 st sess., June 24, 2015; U.S. Congress, House Committee on Science, Space, and 
Technology, Subcommittee on Research and Technology and Subcommittee on Oversight, Is the OPM Data Breach 
the Tip of the Iceberg?, 1 14 th Cong., 1 st sess., July 8, 2015; U.S. Congress, Senate Committee on Homeland Security 
and Governmental Affairs, Under Attack: Federal Cybersecurity and the OPM Data Breach, 1 14 th Cong., 1 st sess., 

June 25, 2015; and U.S. Congress, Senate Committee on Appropriations, Subcommittee on Financial Services and 
General Government, OPM Information Technology Spending and Data Security, 1 14 th Cong., 1 st sess., June 23, 2015. 



Congressional Research Service 



1 



